Rug 31 04 ,Ql:42p Michalik (425) 83G-8957 p. 5 

In re Application of Witt et al. 
Serial No. 09/560,788 

Listing of the Claims: 

1. (Currently Amended) In a computer system, a method comprising: 
receiving information indicative of a possible change to a protected file; and 
determining whether the change is valid by verifying the file, the verifying 

performed by a verification mechanism, and if not valid, preventing the change 
including discardi ng change data and returning a success to a component 

2. (Original) The method of claim 1 wherein receiving information 
indicative of a possible change includes receiving notification indicative of a change 
to a protected file. 

3. (Original) The method of claim 1 wherein receiving information 
indicative of a possible change includes receiving notification of a change to a file, 
and accessing information to determine whether the file is protected. 

4. (Original) The method of claim 1 wherein preventing the change 
includes overwriting a changed copy of the file with a valid copy of the protected 
file. 

5. (Canceled) 

6. (Original) The method of claim 1 wherein determining whether the 
change is valid by verifying the file includes obtaining cryptographic hash 
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information of the changed file and comparing the cryptographic hash information 
against cryptographic hash information associated with the protected file. 

7. (Original) The method of claim 6 wherein comparing the 
cryptographic hash information includes accessing a catalog of information for 
protected files. 



8. (Original) The method of claim 1 wherein determining whether the 
change is valid includes determining whether the file includes a signature. 

9. (Original) The method of claim 1 further comprising, monitoring files 
in a file system. 



10. (Original) The method of claim 1 wherein preventing the change 
includes copying a valid copy of the protected file to a former location of the 
protected file. 

1 1 . (Original) The method of claim 1 0 wherein copying a valid copy of 
the protected file includes finding a file having the same identity as the protected 
file. 



12. (Original) The method of claim 1 1 wherein finding the file having the 
same identity as the protected file includes accessing a cache. 
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1 3. (Original) The method of claim 12 further comprising verifying the file 
having the same identity. 

14. (Original) The method of claim 1 1 wherein finding the file having the 
same identity as the protected file includes accessing a network. 

15. (Original) The method of claim 14 further comprising verifying the file 
having the same identity. 

16. (Original) The method of claim 15 wherein finding the file having the 
same identity as the protected file includes accessing a recorded medium. 

17. (Original) The method of claim 16 further comprising verifying the file 
having the same identity. 

18. (Canceled) 

19. (Original) The method of claim 1 further comprising receiving 
information indicating that a protected file is about to be changed, preserving a 
copy of the protected file, and wherein preventing the change includes overwriting 
a changed copy of the file with a copy of the protected file that was preserved. 
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20. (Currently Amended) A computer-readable medium having 
computer-executable instructions, comprising: 

(1) selecting a plurality of files as protected files; 

(2) receiving information indicative of a possible change to a protected file; 

(3) determining whether the file is an exception case, and 

(a) if an exception case, allowing the change, or 

(b) if not an exception case, determining whether the change is valid 
by verifying the file, the verifying performed by a verification mechanism, and 

(i) if valid, allowing the change^ and 

(ii) if not valid, preventing the chang e; and 
14) returning information indicative of a success . 

21 . (Original) The computer-readable medium of claim 20 wherein 
receiving information indicative of a possible change includes receiving notification 
indicative of a change to a protected file. 

22. (Original) The computer-readable medium of claim 20 wherein 
receiving information indicative of a possible change includes receiving notification 
of a change to a file, and accessing information to determine whether the file is 
protected. 
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23. (Original) The computer-readable medium of claim 20 wherein 
preventing the change includes overwriting a changed copy of the file with a valid 
copy of the protected file. 

24. (Original) The computer-readable medium of clarm 20 wherein 
preventing the change includes discarding change data. 

25. (Canceled) 

26. (Original) The computer-readable medium of claim 20 wherein 
allowing the change includes writing data saved via a copy-on-write process to the 
file. 

27. (Original) The computer-readable medium of claim 20 wherein 
determining whether the file is an exception case includes checking a security 
descriptor of the file. 

28. (Original) The computer-readable medium of claim 20 further 
comprising providing a prompt before allowing a change. 

29. (Original) The computer-readable medium of claim 20 wherein 
determining whether the change is valid includes obtaining cryptographic hash 
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information of the changed file, and comparing the cryptographic hash information 
against cryptographic hash information associated with the protected file. 

30. (Original) The computer-readable medium of claim 20 wherein 
determining whether the change is valid includes determining whether the file 
includes a signature. 

31 . (Currently amended) A computer system, comprising, 
a protected file, 

a detection mechanism configured to determine when the protected file may 
be changed, 

a verification mechanism; and 

a file protection service, the file protection service configured to receive a 
determination from the detection mechanism that the protected file may be 
changed, and further configured to communicate with the verification mechanism to 
verify whether the change is valid, and to prevent the change by discarding 
changed data when the change is not valid, 

32. (Original) The computer system of claim 31 wherein the detection 
mechanism includes a mechanism for monitoring at least one directory for changes 
to at least one file therein. 
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33. (Original) The computer system of claim 31 wherein the detection 
mechanism provides a notification to the file protection service as the determination 
mechanism that the protected file may be changed. 

34. (Original) The computer system of claim 31 wherein the file 
protection service accesses a data structure to determine whether the notification 
received from the detection mechanism corresponds to a protected file. 

35. (Original) The computer system of claim 31 wherein the file 
protection service is incorporated into a file system. 

36. (Canceled) 

37. (Currently amended) The computer system of claim 3© 31 wherein 
the file protection service returns information indicative of a success. 

38. (Original) The computer system of claim 31 wherein the verification 
mechanism verifies whether the change to a file is valid by comparing a 
cryptographic hash of the file contents against a cryptographic hash associated 
with a valid file. 
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39. (Original) The computer system of claim 38 wherein the 
cryptographic hash associated with a valid file is maintained in a data structure 
including a cryptographic hash of the contents of at least one other protected file. 

40-45. (Canceled) 

46. (New) A computer system, comprising, 
a protected file, 

a detection mechanism configured to determine when the protected file may 
be changed, 

a verification mechanism; and 

a file protection service, the file protection service configured to receive a 
determination from the detection mechanism that the protected file may be 
changed, and further configured to communicate with the verification mechanism to 
verify whether the change is valid, and to prevent the change by locating valid data 
in a system cache and copying the valid data over changed data when the change 
is not valid. 

47. (New) A computer system, comprising, 
a protected file, 

a detection mechanism configured to determine when the protected file may 
be changed, 

a verification mechanism; and 
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a file protection service, the file protection service configured to receive a 
determination from the detection mechanism that the protected file may be 
changed, and further configured to communicate with the verification mechanism to 
verify whether the change is valid, and to prevent the change by locating valid data 
at a network share and copying the valid data over changed data when the change 
is not valid. 

48. (New) A computer system, comprising, 
a protected file, 

a detection mechanism configured to determine when the protected file may 
be changed, 

a verification mechanism; and 

a file protection service, the file protection service configured to receive a 
determination from the detection mechanism that the protected file may be 
changed, and further configured to communicate witti the verification mechanism to 
verify whether the change is valid, and to prevent the change by locating valid data 
in a recorded medium and copying the valid data over changed data when the 
change is not valid. 

49. (New) The computer system of claim 46 further comprising a 
scanning mechanism for causing a plurality of fifes to trigger the detection 
mechanism. 
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